Network Isolation Procedures
Response Objective: To immediately halt the lateral movement of malware by severing communication links between network zones (IT, iDMZ, and OT).
Isolation is the cyber equivalent of closing watertight doors. If a crew laptop is infected, we must ensure the virus cannot reach the Engine Control System. There are two ways to achieve this: Soft Isolation (Command Line) and Hard Isolation (Manual).
Method 1: Soft Isolation (via Firewall/Switch)
This is the preferred method as it allows the ETO to maintain control of the network hardware while blocking malicious traffic.
Common Emergency CLI Commands (Cisco/HPE):
# Shutdown the port connected to the infected deviceinterface GigabitEthernet1/0/12
shutdown
# Or, sever the link between IT and OT at the Core Switch
interface Port-Channel 1
shutdown
Method 2: Hard Isolation (Physical)
If the management interface of your switch is unresponsive (common during a DDoS or Ransomware attack), the ETO must physically disconnect the cables. Refer to your Communication Mapping (Identify Phase) to find these links.
The “Golden Cable”
Identify the Uplink Cable that connects the iDMZ to the OT Core Switch. Unplugging this single cable air-gaps the machinery from the rest of the ship.
The VSAT Power-Down
If the attack is originating from the shore (Remote Access), power down the SATCOM modem or the main Firewall to kill the external “Command & Control” link.
The Isolation “Safety Drill”
Before pulling any cable, the ETO must confirm the Operational Impact with the duty officer:
| Isolation Action | Impact on Ship | Pre-Action Check |
|---|---|---|
| Isolate ECR from Bridge | Loss of remote engine monitoring on the Bridge. | Ensure Engine Room is manned and “Local Control” is ready. |
| Isolate SATCOM | Loss of Email, Weather Updates, and shore reporting. | Switch to handheld VHF/Iridium for emergency comms. |
| Isolate iDMZ | Vendors lose remote access; data logging stops. | Lowest risk action. Usually safe to do immediately. |
UR E26 Compliance Point
Every isolation action must be logged in the Bridge Bell Book or a dedicated Cyber Incident Log. This proves to auditors that the crew followed a structured response rather than acting at random.
Next Security Phase
Emergency System Shutdown Rules
Emergency System Shutdown Rules Response Objective: To define the "Red Lines" for system power-down, ensuring that no critical safety system is deactivated unless the risk of staying online is greater than the risk of shutdown. Shutting down a comput...